In a stunning twist, U.S. authorities this week arrested a British cyber-researcher credited with stopping the spread of the WannaCry ransomware virus on charges he helped develop and deploy the Kronos banking trojan that attacked financial institutions around the world in 2014.

Following a two-year investigation, a federal grand jury in Wisconsin last month handed down a six-count indictment against Marcus Hutchins, a resident and citizen of the UK who operated under the name “Malwaretech,” according to U.S. Attorney Gregory Haansted, who oversees the Eastern District of Wisconsin.

Hutchins was arrested Wednesday at the McCarran International Airport in Las Vegas, where he had been attending the Def Con hacking conference. The charges include one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization.

Origin Story

Hutchins created the Kronos malware, prosecutors have alleged.

A video showing the functionality of the Kronos banking trojan was posted to a publicly available website in July 2014, according to a copy of a sealed indictment the U.S. District Court posted July 12.

A defendant, whose name is blacked out, used the video to show how Kronos worked, the indictment says. A defendant, again with the name blacked out, offered to sell the Kronos banking trojan for US$3,000.

Defendants whose names were blacked out updated the Kronos malware early 2015, according to the indictment. In April of that year, a defendant with a name blacked out allegedly advertised the malware on the AlphaBay market forum.